Do you need to ping the inside interface of a ASA across a VPN tunnel?
Maybe you need to do this for monitoring purposes, or whatever.
Allow access of ICMP to the inside interface:
icmp permit host 192.168.1.10 inside
Monitoring station —> 192.168.1.10
Inside interface —> inside
Cisco ASA 8.3 has introduced major changes in how NAT is configured and operates.
This video is a excellent resource for a basic introduction to NAT on ASA 8.3 software:
Here are some quick notes that I have gathered for my reference. Feel free to post any additional comments and notes you may have to share:
show run objects
(Displays network and service objects that are in the running confg)
show run object id
(Displays a specific object)
show run nat
(Displays running config NAT configurations)
(Displays NAT policies and counters)
Use packet-tracer for testing NAT (and other things)
packet-tracer input inside tcp 10.0.0.40 4444 188.8.131.52 80
- Configure Auto-NAT:
object network inside subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic interface
Note: This will configure PAT onto the outside interface for the inside subnet, while at the same time configuring the network object for the inside subnet.
Configure Twice(manual) NAT:
nat (inside,outside) source dynamic inside-net translated-ip destination static cisco-dot-com cisco-dot-com
Note: You must first define the network objects for the source and destination before configuring manual NAT. In this example, the source IP address of the inside host is translated to “translated-ip” only when the dynamic host is sending a packet that is destined to “cisco-dot-com”. cisco-dot-com is entered twice because we are not translating the destination. If we wanted to translate the destination, we would do it here.
Exempt subnets from NAT because of VPN tunnel:
nat (inside,outside) static inside-net inside-net destination static vpn-subnets vpn-subnets
This statement will catch traffic on the inside trying to go to the outside. Traffic that matches the source and destination is operated on but no change is made.
- General Notes:
ASA 8.3 has two types of NAT: Auto-NAT and Twice (manual) NAT. You can use Auto-NAT for most NAT/PAT operations, except for ones that need to make a decision based upon the destination address of a packet.
With ASA 8.3, a new change called “Real IP” was introduced. Real IP means that NAT translation happens BEFORE a ACL is checked. Therefore ACLs must contain the real IP address of the host that the inbound packet is headed towards. In other words, do not write the ACL to match on the “mapped” IP address. The real IP address is normally a non-routable IP address.
dd if=/dev/sr0 of=/tmp/your-iso.iso
For other great tips see:
Well, we are working feverishly to migrate all of our Linux and Windows servers off of our old trusty Virtual Iron cluster to our shiny new VMWare ESX cluster.
Good Bye Virtual Iron, I’ll miss you. Let’s remember how Virtual Iron was eaten alive by the Oracle Monster.
You need the following serial settings to access the console port on a Cisco Aitonet 1200 Series AP.
Hardware Flow Control = OFF
Software Flow Control = OFF
If you can see output from the console, but your keystrokes are ignored; check the flow control settings.
Recently I was trying to bring up a EtherChannel connection between a Catalyst 3750 and a Catalyst 4507.
I was going to join 4 ports together. One from each of the first 4 blades on the 4507. It is good to use several blades to protect against a blade failure.
However, when I went to bring up the bundle using LACP, within seconds all bundled ports were shut down and this logging message popped up:
%PM-4-ERR_DISABLE: channel-misconfig (STP) error detect on GigabitEthernet1/0/45.
I was really stumped as to what was causing this. Google searching did not really return any clear answers.
The message was stating that there error was somehow related to Spanning Tree Protocol. I turned on all Spanning Tree debugs and re-enabled just the first port again, but the debugs didn’t show anything unusual happening. What was interesting is that this error was only occurring on the 3750, no errors were showing up on the 4507. I double checked the STP root bridge priorities, etc.
I started to comb the running-config with a fine toothed comb on the 3750. It was then that I noticed this config towards the top:
spanning-tree etherchannel guard misconfig
This config intrigued me. I had not noticed it before and I was unclear as to what it might do. I no’d out the command and again tried to bring up just the first interface in the bundle. No cigar, same epic fail. At this point, I saved the config (write me) and reloaded the switch. Once the switch was back up, I again tried to bring the the bundle members, but in reverse order, starting with gi1/0/48 and moving towards gi1/0/45. One by one, they were each able to join the bundle. Finally, I went to bring up the last interface, gi1/0/45. It came up, however the command show etherchannel 2 summary showed that it was in the waiting state. This is indicated by state w. It seemed to stay in waiting for about a minute until it changed to I. The status I indicates that the port is individual and not part of the bundle.
I thought that it was strange for gi1/0/45 to go to individual mode. I then traced the cabling from gi1/0/45 on the 3750 to fa3/3 on the 4507. “Now just you wait a sec!” I found that I had accidentally cabled to port fa3/5 instead. This was the wrong port and was not configured to be part of the etherchannel.
spanning-tree etherchannel guard misconfig
Was trying to tell me that I had a mis-cabled port! That’s pretty sweet. I did a quick google search on the command and found that essentially it allows EtherChannel to use STP to attempt to find misconfigurations (including messed up cabling).
This story has two morals:
1) Definitely configure STP etherchannel guard misconfig. That command is just another of those that will watch your back. You just gotta love those commands.
2) If your ports are going err-diable and your getting that odd STP misconfig error. Remember to go check your cabling and which ports are config’d.
Did you just install mod_security or restart apache?
Do you want to make sure that mod_security is working? Well, if you have installed the CRS, then you are in luck! Here is a simple way to test operation.
First, set up a tail -f on whatever file you have mod_security logging violations/alerts to.
Next, from another linux box that has wget installed, run this command:
wget -O – -U “webtrends security analyzer” https://rp.vitamix.com
Finally, back in the audit log, you should see an alert logged. This is because the user agent “webtrends securiy analyzer” is blocked by CRS.
Do you work with Red Hat Enterprise Virtualization or interested in it?
Why not head on over to the unofficial IRC channel for all things RHEV?
There’s a great group of people hanging out there that can try to offer assistance and great insights.
We can be found at: chat.freenode.net #rhev
Hope to see you there!
NOTE: This IRC channel is in no way officially related to Red Hat, Inc.
Here is a handy matrix I found, that shows which Remote Access Card interfaces are supported by RHEL and RHEV
Are you trying to configure Power Management on Red Hat Enterprise Virtualization? Does the test keep failing?
Leave the Port menu box empty. The port box is only used with IBM Blade Center.
Here is the KB article that describes this:
Another KB matrix on fencing:
When using drac6 RAC interface, select: ipmilan.